Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

iOS Google Authenticator fails to register a device with an Invalid barcode error when using OATH nodes in Identity Cloud and AM 7.1

Last updated Nov 17, 2021

The purpose of this article is to provide assistance if you encounter an "Invalid barcode" error when attempting to register a device with the iOS® Google® Authenticator app. This issue occurs when using a journey or tree that contains the OATH Registration node in Identity Cloud or AM.


Symptoms

You will see the following error on your device when scanning a QR code with the iOS Google Authenticator app in order to register the device:

Invalid barcode The barcode [URL] is not a valid authentication token barcode

The same QR code will work with other authenticators such as the ForgeRock Authenticator or the Android™ version of the Google Authenticator app.

Recent Changes

N/A

Causes

The barcode includes = padding characters in the base32 encoded secret, which the iOS Google Authenticator rejects but other authenticator apps just ignore. This is a known limitation with the iOS Google Authenticator.

Solution

This issue can be resolved by increasing the minimum secret key length to avoid padding as follows:

Identity Cloud Admin UI

  1. Navigate to Journeys and click the journey that includes the OATH Registration node.
  2. Click the OATH Registration node.
  3. Enter a new value in the Minimum Secret Key Length field that avoids padding; choosing a value of 40 should typically work.
  4. Click Save.

AM Console

  1. Navigate to Realms > [Realm Name] > Authentication > Trees and select the tree that includes the OATH Registration node.
  2. Click the OATH Registration node.
  3. Enter a new value in the Minimum Secret Key Length field that avoids padding; choosing a value of 40 should typically work.
  4. Click Save.

See Also

FAQ: Journeys in Identity Cloud

Journeys


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.